Article Details
Scrape Timestamp (UTC): 2024-08-10 14:31:55.684
Source: https://thehackernews.com/2024/08/new-malware-hits-300000-users-with.html
Original Article Text
Click to Toggle View
New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions. An ongoing, widespread malware campaign has been observed installing rogue Google Chrome and Microsoft Edge extensions via a trojan distributed via fake websites masquerading as popular software. "The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands," the ReasonLabs research team said in an analysis. "This trojan malware, existing since 2021, originates from imitations of download websites with add-ons to online games and videos." The malware and the extensions have a combined reach of at least 300,000 users of Google Chrome and Microsoft Edge, indicating that the activity has a broad impact. At the heart of the campaign is the use of malvertising to push lookalike websites promoting known software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass to trick users searching for these programs into downloading a trojan, which serves as a conduit for installing the browser extensions. The digitally signed malicious installers register a scheduled task that, in turn, is configured to execute a PowerShell script responsible for downloading and executing the next-stage payload fetched from a remote server. This includes modifying the Windows Registry to force the installation of extensions from Chrome Web Store and Microsoft Edge Add-ons that are capable of hijacking search queries on Google and Microsoft Bing and redirecting them through attacker-controlled servers. "The extension cannot be disabled by the user, even with Developer Mode 'ON,'" ReasonLabs said. "Newer versions of the script remove browser updates." It also launches a local extension that is downloaded directly from a command-and-control (C2) server, and comes with extensive capabilities to intercept all web requests and send them to the server, receive commands and encrypted scripts, and inject and load scripts into all pages. On top of that, it hijacks search queries from Ask.com, Bing, and Google, and funnels them through its servers and then on to other search engines. This is not the first time similar campaigns have been observed in the wild. In December 2023, the cybersecurity company detailed another Trojan installer delivered through torrents that installs malicious web extensions masquerading as VPN apps but are actually designed to run a "cashback activity hack."
Daily Brief Summary
An ongoing malware campaign is distributing trojan-based rogue extensions for Chrome and Edge browsers, affecting over 300,000 users.
Fake websites mimicking popular software downloads deliver trojans that install malicious browser extensions capable of data theft and command execution.
The campaign uses malvertising techniques to guide users to these lookalike download sites for programs such as Roblox FPS Unlocker and KeePass.
Once trojans are downloaded, they execute a PowerShell script that fetches further malware from a remote server, modifying system settings to force-install harmful extensions.
Affected browser extensions are designed to hijack and redirect search queries through attacker-controlled servers, affecting major search engines like Google and Bing.
Users cannot disable these malicious extensions, even using browser Developer Mode, and newer versions of the script can also disable browser updates.
Extensions also intercept web requests, funneling them through C2 servers where data can be stolen or manipulated.
This malware activity bears similarities to past campaigns, including a December 2023 case involving torrent-delivered trojans that disguised as VPN apps to perpetuate fraud.